Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/9/2019
03:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How the Skills Gap Strains and Constrains Security Pros

New ISSA/ESG survey underscores increasing pressures and security fallout of a strapped security team.

Most cybersecurity professionals are struggling with heavier workloads and insufficient time to properly master and deploy all of their security tools' features, as well as hone their own skills, according to a new report.

The third annual Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) International report on the state of cybersecurity professionals worldwide says nearly three-quarters of organizations are dealing with the fallout of the industry's skills gap. In the past two years, nearly half of the organizations surveyed suffered at least one damaging security incident in which a critical system was compromised, according to the report.

More than 65% of security pros say their current job demands typically impede their ability to develop and advance their skills, and 47% say they can't fully learn and use some security technologies to their "full potential."

"Cybersecurity professionals don't have the luxury of time to improve their skills and manage their careers," says Jon Oltsik, senior principal analyst and fellow at ESG and author of the report. That's a dangerous trend given the increasing demands of more IT devices, applications, and cloud migration without advancing security with these IT moves, he notes.

Overall, cybersecurity pros are fatalistic about their ability to protect their organizations from attackers: A full 91% say most organizations are vulnerable to a major cyberattack, and 94% say cybercriminals and nation-state hackers have the edge over defenders.

"Cybersecurity professionals feel their organizations are at a significant disadvantage if they don't have the ability to acquire new skills," says Candy Alexander, president of ISAA International and an executive cybersecurity consultant.

The report, which drew from a survey by ESG of 267 security and IT pros from ISSA and other groups worldwide, highlights the disconnect between the increasing demands on security pros and the lack of sufficient training and support they need to stay on top of threats.

Some 63% say their organization fails to properly train security staff, which is lacking most glaringly in cloud security, application security, and security analysis and investigation talent.

Filling vacancies and expanding teams takes time. According to a recent ISACA report, finding and hiring qualified cybersecurity pros takes longer than ever now: Thirty-two percent of organizations say filling a position takes six months, up from 26% last year, and more than 60% of organizations say positions sit vacant for at least three months, up from 55% last year.

Stressed Out
Some of the biggest stressors for security pros lie in-house: keeping abreast of new IT projects (40%), learning about new IT projects launched without input or help from the security team (39%), getting end users to embrace best security practices (38%), and getting the business side to better comprehend the risks of cyberthreats (37%).

According to Alexander, those and other organizational stresses are driving some CISOs out the door and to gigs as so-called virtual CISOs, where they operate as a contractor CISO for an organization. It's sort of a next-generation consultant role for C-level security executives. Some 10% of organizations in the survey employ a virtual CISO, while nearly 30% of CISOs in the survey work on this contractor basis, 21% are thinking about doing so, and 33% say they would weigh that option in the future.

That jibes with Alexander's own career path from a traditional CISO to virtual CISO, she says. "It's been a natural progression. Part of that driver is the frustration and stress of being an FTE [full-time employee] CISO," she says. "By going into this virtual space, I am now able to go and do the work without having to prove the value [of the work]. Organizations who hire virtual CISOs know what they need, and you're not fighting organizational challenges that could include fighting for budget."

Meanwhile, cybersecurity professionals remain in high demand in what is still a seller's market. Some 77% of cybersecurity pros are contacted by recruiters at least once a month, and 44% at least once a week. "If you want to develop your career, cybersecurity will have no shortages of offers," Oltsik notes.  

Tipping Point
Among the suggestions security pros have for their organizations is to add cybersecurity goals and metrics for IT and business managers, increase training for the security team as well as nontechnical staff, and provide higher security budgets, according to the report.

"We're at a tipping point in cybersecurity: It's more strategic to the business now, and things that were done in the past aren't really working. If you realize that's the case, then you have to start with strategic changes so the CISO can come in and ... help put [together] the right security program and strategy," Oltsik says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bwilkes8@gmail.com
50%
50%
[email protected],
User Rank: Moderator
5/10/2019 | 1:52:23 PM
How the Skills Gap Strains and Constrains Security Pros
Kelly great article.  Is it possible the industry professionals are creating or perpetuating the problem?  I learned from a senior military NCO many years ago, "You're expendable!"  For these professionals to make the statement "they don't have time", sets themselves and the company they work for up for failure, disaster, breaches, you pick.  I took from your article that this is a mentality of the sky is falling in the security realm.  May I ask, how many of these companies are helping themselves and their security team by creating or are actively engaged in finding a solution outside of the traditional ways? This is a self-inflicted wound as we'd say in the military.  It could have been avoided, most importantly it can be corrected.  This situation is a SNAFU and not a FUBAR.

Kelly, if such a high percentage believe the Opposing Force has the edge, a repeatable solution has to be implemented to stave them off.  Are these professionals in your article advocating change within their company or are they simply just dealing with it?

Of the 65% impeded by their jobs, what percentage have onboarded a junior security member?  How many are willing to take on a junior member to mentor?  Is it more productive to be tired and burned out as security professional or to be focused?  How many have made an investment to aid in growth?  I've read many articles similar to yours stating the same thing, but I've only read one this year where the writer proposed a solution.  Here's my two cents.

Investing is done with a goal of receiving "something" in the near or distance future.  Investing is intentional and planned.  Investing is purposeful, planned and should be well executed.  How many of the professionals surveyed are investing in an aspiring or junior security professional?  "Nothing from nothing leaves nothing", no investing in the future means no return, therefore, no gain or in this case no progress in finding a solution to the frustration and burnout these professionals are experiencing.

As as an SME in my fields, in the military, I learned when and what to delegate.  Without delegation being overworked, stressed and substandard performance are guaranteed.  Delegation is not dumping your undesired tasks onto some else's plate, it's giving another individual the opportunity to learn, with oversight.  Yes, you have will spend time training that individual and in the beginning your workload is increased, but in the end a professional is created and a more manageable workload surfaces.  Oversimplified?  Yes, it is, but it's a recipe for a beginning.

I was trained to find solutions to problems and that failure was not an option.  This crisis in the making is manageable.  Just my two cents.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27660
PUBLISHED: 2020-11-30
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
CVE-2020-27659
PUBLISHED: 2020-11-30
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
CVE-2020-29127
PUBLISHED: 2020-11-30
An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid=&csppage=cgi_PgOverview&csplang=en is visit...
CVE-2020-25624
PUBLISHED: 2020-11-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...